Identity metasystem (includes Infocard)

Hi!

I am a little bit confused about InfoCard -- and I can not find enough
information about it on the msft site.

The problem websites are solving with usernames (and passwords) is that
they want to know to which profile is mine the next time I come to the
site. How exactly is infocard (identity metasystem) solving this
problem?

In this (msdn.microsoft.com/msdnmag/issues/06/05/SecurityBriefs/)
document, I read about Private Perosnal Identifier (PPID), but the
information provided on that is very basic. The document mentiones that
this identifier is "calculated" from site's public key, card ID, random
salt -- although I did not read that it MUST be calculated from those
parameters. So, this identifier (arbitrary length byte array) is
supposed to be unique for every site one uses an "infocard" with. Is
this PPID present in every... token (or token's envelope)? Or is it
just one of the claims (in which case I don't get it how it can be
added with InfoCard GUI or how can it be unique for each site)?

I did not find anything about PPID in SAML. ?

1) Self issued scenario
Is it possible to tamper somehow with this PPID? Why not? If I export
the card, I can tamper with it. If it is digitally signed with my
private key, I have it, so I can sign it after modifying it -- that
way, I can have the same PPID as someone else.

2) Provider issued scenario
Obviously, this is more secure, because I can not sign it with the
provider's private key -- which the Relaying website would (must)
verify.


Now, since there is no definition on how long this identifier is (or
must be), there is probably no definition how it must be calculated.
So, how can developers (website owners) perpare to identify users based
on the PPID?

I am thinking along the lines:
- self issued card, with first, last name and email claims.
- I register at a site (with my self issued card)
- the site stores my... identifier? with the profile I created.
- I store information on the site (perhaps emails, forum posts, other
persistent data like documents maybe)
- When I come back to this site, the site wants to know which profile
belongs to me. Now, anyone can create a card with __my__ first name,
last name and email address. But, they will have a different
identifier. Yes? Which one? PPID? Can I change it (tamper with it)?

Thanks,
Miha.

ps: The PPID is supposed to be one of the claimes, according to
document "A technical reference for Infocard 1.0)
(http://download.microsoft.com/downlo...-published.pdf)
ps2: if there is a better suited newsgroup for this type of discussion,
please point me to it.

The self-issued provider also generates a unique public/private key pair for
a site the first time it is visited. Then each time you revisit the site
with that card, the site gets the unique PPID signed with the unique private
key, and with the unique public key included.

See the infocard-guide-beta2-published.pdf, Appendix A – Self-Issued
Identity Provider.
http://download.microsoft.com/downlo...-published.pdf

- Sid

"miha.valencic@gmail.com" wrote:

> Hi!
>
> I am a little bit confused about InfoCard -- and I can not find enough
> information about it on the msft site.
>
> The problem websites are solving with usernames (and passwords) is that
> they want to know to which profile is mine the next time I come to the
> site. How exactly is infocard (identity metasystem) solving this
> problem?
>
> In this (msdn.microsoft.com/msdnmag/issues/06/05/SecurityBriefs/)
> document, I read about Private Perosnal Identifier (PPID), but the
> information provided on that is very basic. The document mentiones that
> this identifier is "calculated" from site's public key, card ID, random
> salt -- although I did not read that it MUST be calculated from those
> parameters. So, this identifier (arbitrary length byte array) is
> supposed to be unique for every site one uses an "infocard" with. Is
> this PPID present in every... token (or token's envelope)? Or is it
> just one of the claims (in which case I don't get it how it can be
> added with InfoCard GUI or how can it be unique for each site)?
>
> I did not find anything about PPID in SAML. ?
>
> 1) Self issued scenario
> Is it possible to tamper somehow with this PPID? Why not? If I export
> the card, I can tamper with it. If it is digitally signed with my
> private key, I have it, so I can sign it after modifying it -- that
> way, I can have the same PPID as someone else.
>
> 2) Provider issued scenario
> Obviously, this is more secure, because I can not sign it with the
> provider's private key -- which the Relaying website would (must)
> verify.
>
>
> Now, since there is no definition on how long this identifier is (or
> must be), there is probably no definition how it must be calculated.
> So, how can developers (website owners) perpare to identify users based
> on the PPID?
>
> I am thinking along the lines:
> - self issued card, with first, last name and email claims.
> - I register at a site (with my self issued card)
> - the site stores my... identifier? with the profile I created.
> - I store information on the site (perhaps emails, forum posts, other
> persistent data like documents maybe)
> - When I come back to this site, the site wants to know which profile
> belongs to me. Now, anyone can create a card with __my__ first name,
> last name and email address. But, they will have a different
> identifier. Yes? Which one? PPID? Can I change it (tamper with it)?
>
> Thanks,
> Miha.
>
> ps: The PPID is supposed to be one of the claimes, according to
> document "A technical reference for Infocard 1.0)
> (http://download.microsoft.com/downlo...-published.pdf)
> ps2: if there is a better suited newsgroup for this type of discussion,
> please point me to it.
>
>